I am the Owner and Organization Administrator of a Google Cloud organization.
For a Firebase project owned by my account (which belongs to the same organization), I need to invite an external developer. However, when I try to add them, I receive the following error:
An organization policy restricts that only users from specific domains are allowed. Please contact an organization admin.
To resolve this, I attempted to modify the iam.allowedPolicyMemberDomains policy. However, when I try to update it, I get another error stating that I lack the orgpolicy.policies.create authorization.
Since I am already the Organization Administrator, I would expect to have the necessary permissions.
My Questions: 1. Why am I missing the orgpolicy.policies.create permission? 2. How can I modify the iam.allowedPolicyMemberDomains policy to allow external users? 3. Is there an alternative approach to invite an external developer in this scenario?
Any guidance would be greatly appreciated!
I am the Owner and Organization Administrator of a Google Cloud organization.
For a Firebase project owned by my account (which belongs to the same organization), I need to invite an external developer. However, when I try to add them, I receive the following error:
An organization policy restricts that only users from specific domains are allowed. Please contact an organization admin.
To resolve this, I attempted to modify the iam.allowedPolicyMemberDomains policy. However, when I try to update it, I get another error stating that I lack the orgpolicy.policies.create authorization.
Since I am already the Organization Administrator, I would expect to have the necessary permissions.
My Questions: 1. Why am I missing the orgpolicy.policies.create permission? 2. How can I modify the iam.allowedPolicyMemberDomains policy to allow external users? 3. Is there an alternative approach to invite an external developer in this scenario?
Any guidance would be greatly appreciated!
Share Improve this question asked Feb 6 at 10:47 salvabalzasalvabalza 1732 silver badges12 bronze badges 1- Did you have time to check my answer? It helped you to solve your issue? If not, I am happy to assist further.What should I do when someone answers my question? – Sai Chandra Gadde Commented 2 days ago
1 Answer
Reset to default 0To invite an external developer we have multiple methods mentioned below:
Remove the organization policy containing the Domain Restriction constraint. Apply the role to user/service account. Implement the organization policy with the Domain Restriction constraint again following this official doc. (This resolution has worked in most of the cases).
Modify the domain policy by adding a new domain. Follow the official GCP document to add a customer's ID checking example. Other method is by granting access to a google group that contains the service accounts by following steps:
Create a Google group within the allowed domain.
Use the Google Workspace administrator panel to turn off domain restriction for that group.
Add the service account to the group.
Grant access to the Google group in the IAM policy.
When trying to modify the domain you are getting an error, but you are having an organization's administrator role which is enough for modifying the policy. Try for other workarounds which might help you to resolve your issue. If it doesn’t then it might be an issue. Can you create a new Issue Tracker thread describing your issue. If you have paid support try creating an issue.